IP Law Daily Symantec did not infringe four Columbia University data security patents, but could have infringed two others
News
Tuesday, February 2, 2016

Symantec did not infringe four Columbia University data security patents, but could have infringed two others

By Cheryl Beise, J.D.

The federal district court in Richmond, Virginia, properly construed two key claim terms appearing in four data security patents owned by Columbia University, but erred in construing a third claim term appearing in two other patents, the U.S. Court of Appeals for the Federal Circuit has decided. A stipulated judgment that Symantec Corporation did not infringe four patents (relating to computer system intrusions and malicious email attachments) was affirmed, as was a finding that two claims of one patent were invalid for indefiniteness. However, judgment of non-infringement regarding the remaining two patents (relating to anomalous program executions) was reversed and the case remanded (The Trustees of Columbia University v. Symantec Corp., February 2, 2016, Dyk, T.).

The Trustees of Columbia University (“Columbia”) owns six patents involving the application of data analytics techniques to computer security to detect and block malware: U.S. Patent No. 7,487,544 (the ’544 patent), U.S. Patent No. 7,979,907 (the ’907 patent), U.S. Patent No. 7,448,084 (the ’084 patent), U.S. Patent No. 7,913,306 (the ’306 patent), U.S. Patent No. 8,074,115 (the ’115 patent), and U.S. Patent No. 8,601,322 (the ’322 patent). The ’544 and ’907 patents share the same specification and relate to detecting malicious email attachments. The ’084 and ’306 patents share the same specification, and relate to a method for detecting intrusions in the operation of a computer system. The ’115 and the ’322 patents share a specification and relate to detecting anomalous program executions.

In 2013, Columbia filed suit against Symantec Corporation, accusing various Symantec security products of infringing certain claims of the six patents. Following the district court’s claim construction rulings, the parties stipulated to judgment of non-infringement and a finding of invalidity for indefiniteness of claims 1 and 16 of the ’544 patent.

On appeal, Columbia challenged the district court’s construction of three key claim terms: (1) “byte sequence feature” in the ’544 and ’907 patents; (2) “probabilistic model of normal computer system usage” in the ’084 and ’306 patents; and (3) “anomalous” in the’115 and ’322 patents.

The ’544 and ’907 patents—“byte sequence feature.” The district court construed “byte sequence feature,” appearing in the ’544 and ’907 patents, to mean a “[f]eature that is a representation of machine code instructions of the executable.”

Columbia objected to the district court’s “machine code instructions” limitation. Columbia argued that the term “byte sequence feature” should be construed according to its plain meaning as an umbrella term for the properties or attributes of sequences of bytes that are extracted from any part of an executable, including not only machine code instructions but also other information.

The Federal Circuit disagreed. In Phillips v. AWH Corp., 415 F.3d 1303, 1320 (Fed. Cir. 2005) (en banc), the court explained in the specification is always highly relevant to the claim construction analysis” and is, in fact “the single best guide to the meaning of a disputed term.” In this case, the district court’s construction of “byte sequence feature” was well supported by the specification, which twice stated that the “byte sequence feature” was useful and informative “because it represents the machine code in an executable.” These statements were not simply descriptions of the preferred embodiment, but rather defined “byte sequence feature,” the court said. In addition, the provisional application showed that “byte sequence feature” extraction was just one type of “feature extraction” and not a general term.

Based on the district court claim construction, the parties stipulated to a judgment of non-infringement of all claims of the ’544 and ’907 patents because none of the accused products analyzed an attachment’s machine code instructions. The parties also stipulated to a judgment of indefiniteness as to claims 1 and 16 of the ’544 patent. Claims 1 and 16 described the step of extracting machine code instructions (a “byte sequence feature”) from “resource information,” which did not have machine code instructions.

The ’084 and ’306 patents—“probabilistic model of normal computer system usage.” Columbia next challenged the district court’s construction of “probabilistic model of normal computer system usage,” as used in claims 1, 9, and 14 the ’084 patent and claims 1 and 7 of the ’306 patent. The district court construed the term to mean a “model of typical attack-free computer system usage that employs probability.” The term “normal computer system usage” was construed to mean “typical attack-free computer system usage.” The court later clarified that the model described in the ’084 and ’306 patents must be generated with “only attack-free data.”

According to the Federal Circuit, the district court correctly concluded that the “probabilistic model of normal computer system usage” of the ’084 and ’306 patents must be built with only attack-free normal data. According to the specification, the model is built by “[g]athering features from the records of normal processes that access the Windows registry.” Nothing in the specification described any embodiment that used attack data to build the model, the court noted.

The prosecution history also confirmed this conclusion. What distinguished the invention from the prior art was that it could predict whether a registry access was malicious from a model that was built using only normal data. Columbia pointed to three prior art references incorporated into the specification, but one reference was for a different invention and two fleeting references could not “overcome the overwhelming evidence in the specification and the prosecution history,” the court said.

Because none of the Symantec products built a model based on clean, attack-free data, the parties stipulated to a judgment of non-infringement of the ’084 and ’306 patents.

The ’115 and ’322 patents—“anomalous.” The district court construed “anomalous” as used in several claims of the’115 and ’322 patents to mean “[d]eviation/deviating from a model of typical, attack-free computer system usage.” The claims covered media, systems, and methods for detecting and classifying anomalous program executions. After Columbia moved for clarification, the district court, relying on its construction of “normal computer usage” in the various claims of ’084 and ’306 patents, found that the model in ’115 and ’322 patents also only used attack-free data.

Contrary to the view of the district court and the parties, there was no reason why the construction of claim terms in the ’115 and ’322 patents should be the same as the ’084 and ’306 patent, the Federal Circuit said. The four patents comprised two separate families, claimed two different inventions, had only one inventor in common, were filed years apart, and did not result from the same patent application.

The claims of the’115 and ’322 patent themselves showed that the model could be built with both attack-free and attack data, the court observed. The prosecution histories of the ’115 and ’322 patents also supported Columbia’s assertion that the model could be built with attack-free and attack data. Therefore, the district court incorrectly construed the term “anomalous.”

Conclusion. The Federal Circuit affirmed the stipulated judgment of non-infringement of the asserted claims of the ’544 patent, the ’907 patent, the ’084 patent, and the ’306 patent. The district court’s finding of invalidity of claims 1 and 16 of the ’544 patent was also affirmed. However, the appeals court reversed the district court’s construction of “anomalous” and vacated the stipulated judgment of non-infringement as to all claims of the ’115 and the ’322 patents and remanded for further proceedings.

The case is No. 2015-1146.

Attorneys: David Isaac Gindler (Irell & Manella LLP) and Aaron Martin Panner (Law Office of Aaron M. Panner, PLLC) for The Trustees of Columbia University. David A. Nelson (Quinn Emanuel Urquhart & Sullivan, LLP) and Adam Conrad (King & Spalding LLP) for Symantec Corporation.

Companies: The Trustees of Columbia University; Symantec Corporation

MainStory: TopStory Patent FedCirNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More